Whether you have one employee or 1000, if your business supports the U.S. Department of Defense (DoD) directly or indirectly (i.e. as a subcontractor to another business that supports the DoD), you will soon be required to meet Cybersecurity Maturity Model Certification (CMMC) requirements in order to be awarded certain contracts.
The timelines for compliance vary slightly depending on whether your organization only handles basic “Federal Contract Information” (FCI) or more sensitive “Controlled Unclassified Information” (CUI). The sensitivity of the data entrusted to you determines which CMMC level you must meet, as well as the deadline for compliance.
What is the CMMC?
There are numerous cybersecurity frameworks in use today, and many share common controls or overlap. “CMMC” is the DoD’s framework to ensure that contractors handling FCI and CUI meet minimum cybersecurity standards to protect digital records that contain confidential information pertaining to military operations, critical infrastructure, and the like.
CMMC is based largely on existing industry standards, primarily NIST SP 800-171. It was developed with input from a broad base of industry leaders who are committed to the common goal of securing defense contractors and the defense industrial base.
CMMC 2.0, the current version, has three levels:
| Level | # of Controls | Assessment Required |
| L1 | 17 | Self-assessment (annual) |
| L2 | 110 | Self-assessment or a certified third party assessor (C3PAO) |
| L3 | 134 | Government-led |
For most small and mid-sized firms in the defense supply chain, Level 1 is the relevant requirement, and its enforcement is approaching quickly.
What is the CMMC Compliance Deadline?
On December 26, 2024, the DoD finalized its CMMC Program Rule (32 CFR Part 170), laying the foundation for how cybersecurity maturity requirements will be implemented.
A complementary Acquisition Rule (which will allow CMMC to appear in contracts) was finalized on September 10, 2025, and will take effect 60 days later.
That means as early as November 10, 2025, CMMC requirements may begin appearing in new solicitations and contracts.
Source: https://www.acq.osd.mil/dpap/dars/opencases/dfarscasenum/dfars.pdf
Phased Rollout: What We Know
The Department of Defense has structured the CMMC implementation across four phases:
| Phase | Start / Effective Date | Assessment Type Required |
| Phase 1 | November 10, 2025 (60 days after the Acquisition Rule became effective) | Submit annual self-assessments at Level 1 or non-prioritized Level 2 in applicable contracts. These self-assessment submissions operate under an honor system, but submitting a false attestation may constitute a violation of the False Claims Act (FCA). |
| Phase 2 | November 10, 2026 (one year after Phase 1) | Triennial third-party assessments for Level 2. CUI contracts become mandatory. |
| Phase 3 | November 10, 2027 (two years after Phase 1) | Level 3 (for the most sensitive contracts) may start being inserted. The DoD has discretion on timing and which contracts get Level 3. |
| Phase 4 | November 10, 2028 (three years after Phase 1) | Full inclusion of CMMC in all applicable solicitations and contracts. |
Some contractors are already seeing CMMC requirements appear in RFPs — especially when subcontracting to larger primes or bidding on work tied to critical missions.
Bottom line: If you handle FCI, you’ll likely need to perform and affirm your Level 1 self-assessment within months, not years.
Observations and Lessons Learned
Level 1 may “only” have 17 practices, but consistent implementation is more involved than many expect. Here are four common blind spots:
1. It’s Not Just IT or your MSP’s Job
Many assume cybersecurity is a technology issue. But Level 1 controls span policies, processes, and human behavior. Access control, physical safeguards, and training all require coordination across HR, facilities, and leadership — not just IT.
2. IT still plays a crucial role, and needs to mature
Your technical team remains essential for implementing and maintaining secure configurations, managing user access, and monitoring your environment. Even at CMMC Level 1, you’ll need a hardened IT environment with protections like strong authentication, regular patching, and restricted administrative privileges.
Resist the temptation to interpret the requirements loosely, or treat partial compliance as full compliance.
Don’t rush through implementation just to “check the box.” A mature cybersecurity posture benefits both your organization and the DoD. CMMC isn’t only a compliance exercise, it’s an opportunity to improve your operational resilience and build trust with all your customers.
3. Documentation Still Matters
While CMMC Level 1 doesn’t require the same amount of formal documentation as Level 2, such as full system security plans (SSPs). You still need to show evidence of implementation.
Self-attestation is not based on trust alone; it requires supporting artifacts such as configuration screenshots, logs, policy snippets, or access control settings.
Think of this less like the “check-the-box” exercises of yesteryear, and more like an audit: “prove you did it and are still doing it.” Even at Level 1, evidence matters, both for internal accountability and potential government review.
4. The Cloud Doesn’t Cover You Completely
Using platforms like Microsoft 365, AWS, or Google Workspace can support your compliance efforts, but cloud providers are typically responsible only for security of their platform, not the direct security of your data.
You're still responsible for key security configurations, including:
- User access controls
- Password policies
- MFA enforcement
- Monitoring and reviewing audit logs
CMMC doesn’t stop at your cloud provider’s boundary. You must ensure your environment is securely configured and continuously monitored, even if it’s hosted in a compliant cloud.
Kreischer Miller Can Assist With Your CMMC Readiness Efforts
At Kreischer Miller, we’ve helped mid-market companies prepare for regulatory change for decades, and CMMC is no exception.
We provide practical, right-sized support with:
- Explaining CMMC requirements in plain language
- Performing readiness assessments and gap analysis, using the RealCISO™ platform
- Building evidence packages and self-assessment artifacts
- Guiding you through SPRS submission and affirmation
Our approach is straightforward: no fear tactics, no one-size-fits-all solutions, and minimal “geek speak.” Our goal is to give you the right guidance, informed by years of experience, so that you can protect sensitive data, stay eligible for DoD contracts, and position your business for growth.
Don’t Wait Until It’s in the Contract
The CMMC clock is ticking. Failing to prepare could delay awards or disqualify you altogether.
If you're not sure where your organization stands, now is the time to get clarity. Our Technology Advisory team is ready to help you take the right next step.
Contact us today to start CMMC readiness conversations.